2.5.1.2.3 Check Object-Specific Access
Goal
Verify the object-specific access requested by a user.
Context of Use
The user of the Active Directory client needs to access an attribute or set of attributes on an Active Directory object, and the Active Directory server needs to verify the user's access rights before granting access. Therefore, the AD server interacts with the authorization system through the Active Directory resource manager to verify the requested access rights using this use case.
Actors
The actors are the same as described in section 2.5.1.2.1.
Stakeholders
The primary interest of the user is to read an individual attribute of an object or a set of attributes.
Preconditions
The identity of the user has been authenticated by the Authentication Services subsystem [MS-AUTHSOD].
The administrator has configured the required attribute level access permissions for the user on the Active Directory object using the Admin tool.
The Active Directory server obtained the access token for the requesting user, as described in section 2.5.1.3, and the server has already sent a request to the Active Directory resource manager by passing the user's access token, (which is also called security context), access rights, and other information.
The object's security descriptor has already undergone the SID substitution for Principal Self (see [MS-ADTS] section 5.1.3.3).
Main success scenario
Trigger: The user of an Active Directory client makes a request to the Active Directory server to read one attribute or set of attributes associated with an Active Directory object.
The Active Directory resource manager verifies the access rights of the user against the permissions on the object's security descriptor, as described in [MS-ADTS] section 5.1.3.3.3.
If the verification succeeds, then the Active Directory resource manager returns success to the Active Directory server, that the user has been granted access to the requested Active Directory object.
Post condition
The Active Directory server enables access to the user to read all the information associated with the requested Active Directory object.